MGASA-2016-0379

Description

Updated nss and firefox packages fix security vulnerabilities Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox (CVE-2016-5296, CVE-2016-5297, CVE-2016-9066, CVE-2016-5291, CVE-2016-5290). A flaw was found in the way Add-on update process was handled by Firefox. A Man-in-the-Middle attacker could use this flaw to install a malicious signed add-on update (CVE-2016-9064). An existing mitigation of timing side-channel attacks in NSS before 3.26.1 is insufficient in some circumstances (CVE-2016-9074).

Affected Systems

• mageia•firefox

  < 45.5.0-1.mga5

• mageia•firefox-l10n

  < 45.5.0-1.mga5

• mageia•nspr

  < 4.13.1-1.mga5

• mageia•nss

  < 3.27.1-1.mga5

• mageia•rootcerts

  < 20160922.00-1.mga5

References (5)

• https://advisories.mageia.org/MGASA-2016-0379.html
• https://bugs.mageia.org/show_bug.cgi?id=19789
• https://www.mozilla.org/en-US/security/advisories/mfsa2016-90/
• https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
• https://rhn.redhat.com/errata/RHSA-2016-2780.html